1. Field of the Subject Disclosure
The subject disclosure relates to detecting malicious software on mobile devices. In particular, the subject disclosure relates to offloading certain malware detection procedures to a remote server on a network.
2. Background of the Subject Disclosure
Mobile electronic devices, or mobile devices, have become an integral part of our everyday lives. Cellular telephones, smartphones, netbooks, and several other devices are used by billions to perform everyday tasks for communication, scheduling, etc. Essentially, the core components of historically larger computers, such as transceivers, displays, storage, and powerful processors are being miniaturized and crammed into small portable devices that are becoming more and more ubiquitous. Modern mobile devices such as the IPHONE and NOKIA N800 run near-complete versions of commodity operating systems like BSD and LINUX. Functionality like complete multiprotocol networking stacks, UI toolkits, and file systems provide developers with a rich environment to quickly build applications. However, this complexity opens up mobile devices to the same wide range of threats that target desktops.
One such threat is that of malicious software, malware, including viruses and rootkits. Malware is created by malicious entities for several nefarious purposes, spreads itself like a computer virus, and may cripple or even completely disable an electronic device. A particularly potent form of malware is a rootkit, so called because it targets the root of the system, i.e., the operating system (OS) kernel itself. By infecting the code and data of the OS kernel, rootkits gain control over the layer traditionally considered the trusted computing base (TCB). A recent study has reported a 600% increase in the number of rootkits in a three year period between 2004 and 2006. As this explosive growth continues, the increasing complexity of the hardware and software stack of mobile devices, coupled with the increasing economic value of personal data stored on mobile devices, point to an impending adoption of rootkits in the mobile malware arena.
Currently, mobile security solutions mirror the traditional desktop model in which they run detection services on the device. This approach is complex and resource intensive in both computation and power. Code integrity monitors such as Patagonix, and kernel data integrity monitors such as Gibraltar offer protection against malicious code in the kernel by checking the integrity of static code pages or by scanning the kernel's data segment and ensuring that its data structures satisfy certain integrity properties, which are normally violated in rootkit-infected kernels. This checking of the integrity of all kernel data structures and executable code is a thorough process, but requires significant processing overhead. With mobile devices, this leads to another problem: excessive power consumption. Security mechanisms today focus on well-provisioned computers such as heavy-duty servers or user desktops. Mobile devices present a fundamental departure from these classes of machine because they are critically resource-constrained.
While advances throughout the last decade in mobile processor, GPU, and wireless capabilities have been staggering, the hard fact is that mobile devices utilize batteries with a limited amount of stored power. Without the limit of resource constraints, security mechanisms will check everything they can, all the time. In a mobile device aggressively performing checks on large sets of security targets will inexorably lead to exhaustion of energy and other resources and the inability to carry on useful tasks. However, no currently known approach addresses the problem of providing security mechanisms in a battery-constrained environment.
What is therefore needed is a more efficient approach to detecting malware on mobile devices, with wider coverage than that possible on the resource-constrained mobile device itself.